WO2013110857A1 - Privileged access auditing - Google Patents

Abstract

Privileged access to one or more computer systems is audited by performing a man-in-the-middle attack against a cryptographic protocol (e.g., SSH) at one or more capture components, transmitting audit data to a centralized audit server, and managing access to private keys to enable the attack to be performed transparently.

Description

PRIVILEGED ACCESS AUDITING

FIELD OF THE INVENTION

The invention relates to security in computer networks and computing systems, and particularly to auditing of privileged access to computers.

BACKGROUND OF THE INVENTION

Large enterprises have many thousands of server computers and tens of thousands or more of in- dividual computing devices. Such organizations also typically use hundreds or thousands of different com^¬ puter software applications in the course of their business, and have many, often hundreds of system ad^¬ ministrators installing, maintaining, operating, up- grading, and otherwise administering these computers and applications.

Many applications provide different access or privilege levels for users. For example, a financial application might have privileged accounts that can be used to configure the system (e.g., select currencies used, create or delete accounts) and normal accounts that can only be used for day-to-day operations or da^¬ ta entry. For computer systems, there are typically normal user applications that are only used for run- ning various application software, and administrator accounts (such as the root account in Unix/Linux or Administrator account and Domain Administrator account in Windows) that can be used to install, modify, or delete software on the system or access hardware (e.g., disk drives) directly, bypassing normal securi^¬ ty and protection mechanisms on the computer (in prac^¬ tice, such accounts frequently permit kernel-level or operating system level access by allowing the instal^¬ lation of new device drivers or upgrading the operat- ing system kernel) . Given the large powers of certain administrator accounts, it is also possible to hide one's actions or insert hidden subvertive code into the system through such accounts.

Given the high number of administrators and the ability of some accounts to subvert even the oper- ating system, it is important for organizations to monitor and audit access to and use of privileged ac^¬ counts. This is important even for many medium-level privileged accounts where such auditing might still be required by regulations or good corporate governance policies. Furthermore, some applications might be so critical that all access to them should be audited, while others might ideally require real-time auditing and control from more than one person while performing administrative actions.

Several commercial products exist for con^¬ trolling and auditing actions by administrators.

The PowerBroker product from BeyondTrust, Inc. permits fine-grained control and auditing of cer^¬ tain administrative actions.

The Xsuite products from Xceedium permit mon^¬ itoring of SSH (Secure Shell) and RDP (Remote Desktop Protocol) sessions by requiring all administrative connections to be made through a centralized server, which decides which administrative interfaces a user can connect to and audits the actions performed by the administrator. It has access to the plaintext of even encrypted connections by making the connection from the centralized server and providing an HTTP-based web connection to the administrator. A shortcoming of the solution is that it forces administrators to use the user interface and tools provided by the solution; it is thus intrusive and changes the way administrators need to work.

The Privileged Session Management Suite from Cyber-Ark has similar capabilities and functionality as the Xceedium product, and suffers from similar shortcomings . The Shell Control Box from Balabit also per^¬ mits monitoring and auditing of SSH, RDP, VNC (Virtual Network Computing) , and certain other types of sessions. While it can be operated in Bastion Mode, which is somewhat similar to the aforementioned products, it can also act as an intermediate device in the network between the administrative user and the computer run^¬ ning the application to which the administrative connection is. It performs a man-in-the-middle attack on the cryptography, which enables it to decrypt, in^¬ spect, and record even the contents of encrypted com^¬ munications protocols. However, performing such attack smoothly requires that the intermediate device has a copy of the private key of the host being connected to, called destination host (for SSH) , or a private key and certificate for the destination host (for, e.g., RDP) . If the host key of the destination host is changed (it is prudent security practice to change any keys regularly) , the key must be changed also on the intermediate device. When there are many hosts and many applications, this becomes very cumbersome. Fur^¬ thermore, such keys may also be stored in, e.g., SSH clients, resulting in very confusing error/warning messages to end users when the keys are changed.

The Shell Control Box is frequently installed next to a firewall and stores all audit data on the Shell Control Box itself. Sometimes it is installed next to the server. When there are multiple firewalls or multiple servers to protect (possibly at different sites in widely separated geographic locations) , logs from multiple users will be distributed at multiple locations, and since sensitive user data (including passwords) is stored at each device, compromise of even a single device may result in compromise of sen- sitive passwords.

The SSH protocol is described in the Internet Engineering Task Force (IETF) standards RFC 4250 The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4251 The Secure Shell (SSH) Protocol Architecture, RFC 4252 The Secure Shell (SSH) Authentication Protocol, RFC 4253 The Secure Shell (SSH) Transport Layer Protocol, and RFC 4254 The Secure Shell (SSH) Connection Proto^¬ col. The original protocol was invented and developed by one of the present inventors in 1997-1999, and then standardized by the IETF. The above-mentioned RFCs are hereby incorporated herein by reference in their en- tirety. They are freely available for download at www . ietf . org .

The Secure Shell (SSH) protocol and related client and server software applications are now in^¬ cluded in nearly all Unix and Linux versions, such as IBM AIX, HP-UX, Solaris, Red Hat, SUSE, Ubuntu, etc. Popular implementations of the SSH protocol include the open source OpenSSH, which is based on the present inventor's free SSH version 1.12 from 1995, and the commercial Tectia SSH client and server from SSH Com- munications Security (Tectia Corporation) .

The Secure Sockets Layer (SSL) protocol is described in RFC 6101. Its newer version, Transport Layer Security (TLS) protocol is described in RFC 5246. These RFCs are hereby incorporated herein by reference in their entirety. They are freely available for download at www.ietf.org.

The Remote Desktop Protocol is based on, and an extension of, the ITU T.120 family of protocols. It is described in detail in Microsoft documentation, available with the Microsoft Developer Network prod^¬ uct, under the entry [MS-RDPBCGR] : Remote Desktop Pro^¬ tocol: Basic Connectivity and Graphics Remoting Speci^¬ fication, December 14, 2011, which is hereby incorporated herein by reference. (The document is freely available for download at msdn.microsoft.com.)

An objective of the present invention is to provide an improved system for controlling and audit- ing access to applications and other administra^¬ tor/user actions in computers and other apparatuses, even when administrators use encrypted sessions pro^¬ tected by protocols such as SSH or RDP (with SSL/TLS) .

SUMMARY OF THE INVENTION

The invention is not intended to be limited to embodiments that meet any particular objective or provide any particular benefit mentioned herein; in fact, many of the aspects and elements of the inven^¬ tion described herein have independent useful and in^¬ ventive applications, and may be incorporated into an apparatus, method, computer software, or data struc^¬ ture or another aspect or embodiment of the invention to form a new aspect of the invention. "An embodiment" or "one embodiment" may refer to one exemplary embodi^¬ ment or class of embodiments, not necessarily all em^¬ bodiments and possibly different embodiments in each case. In this specification "audit data" generally, though not necessarily, means the full contents of a session (substantially all packets transmitted in a session) and optionally associated metadata.

An aspect of the invention is a system for capturing, decrypting (via a man-in-the-middle attack or otherwise) , authenticating, authorizing, controlling, auditing, and/or DLP-controlling connections to applications and/or computers. One possible embodiment of the invention is an apparatus, and components of the system may be embodied in one or more apparatuses. Another embodiment of the invention is computer program product on a computer-readable medium that can be executed by one or more processors and that may be in^¬ stalled in one or more firewalls, network appliances, dedicated computers, virtual machines, or other data processing systems. Yet another embodiments of the in^¬ vention include methods for capturing, decrypting, authenticating, authorizing, controlling, auditing, and/or DLP-controlling connections to applications and/or computers.

The invention comprises many aspects and ele^¬ ments which may be combined in whole or in part to form new aspects and embodiments of the invention.

An aspect of the invention is capturing a session by a firewall plugin installed in a firewall.

An aspect of the invention is capturing a session by a capture component inside an SSH (Secure Shell Protocol) server.

An aspect of the invention is capturing a session by a capture component inside an SSH client.

An aspect of the invention is capturing a session by a capture component inside an RDP (Remote Desktop Protocol) server.

An aspect of the invention is capturing a session by a capture component as part of a host-based firewall .

An aspect of the invention is performing man- in-the-middle capture for SSH using key escrow infor^¬ mation sent by an SSH client or server.

An aspect of the invention is performing man- in-the-middle capture for SSH without re-constructing at least 50% of all packets in the session.

An aspect of the invention is sending session audit data to an audit server from the capture compo^¬ nent, where the audit server for storing recorded ses^¬ sions and capture component reside on different physi^¬ cal or virtual hosts.

An aspect of the invention is sending sub^¬ stantially all data exchanged in a session to an audit server, where the data is either decrypted before sending or the data is sent with information required for decrypting it.

An aspect of the invention is sending encoded policy from an audit server to the capture component, capturing a session by the capture component, and us- ing said encoded policy by the capture component in deciding whether the session or action therein is authorized.

An aspect of the invention is requesting a private key from a private key server for the purpose of performing a man-in-the-middle attack on an encrypted session. (It should be noted that even though it is called an "attack" for historical reasons, here it is simply used as a technique for obtaining plaintext of a session among co-operating parties.)

An aspect of the invention is sending information relating to a particular encrypted session to a private key server, causing a cryptographic operation to be performed by the private key server using a pri- vate key and said information, receiving results of the private key operation from the private key server, and performing a man-in-the-middle attack on the ses^¬ sion using the results.

An aspect of the invention is receiving a connection from a capture component, authenticating the capture component, receiving a request to perform a cryptographic operation using a private key with in^¬ formation relating to a particular session, performing the requested private key operation, and sending the results of the private key operation back to the cap^¬ ture component .

An aspect of the invention is decrypting data belonging to a session in a capture component, sending the decrypted data to a Data Loss Prevention system using the iCAP protocol or other suitable protocol, and based on a value returned by the Data Loss Preven^¬ tion System, either disconnecting the connection or allowing the data to go through.

An aspect of the invention is decrypting data belonging to a session in a capture component, sending the decrypted data to an Anti-Virus/Malware checker, and based on a value returned by the Anti- Virus/Malware checker, permitting or denying the data transfer .

An aspect of the invention is the audit serv^¬ er receiving audit data relating to a session from a capture component, the audit server sending said data to a Data Loss Prevention System, and in response to the Data Loss Prevention system informing the audit server that transmitting the data is not allowed, causing the capture component to terminate the connec- tion. Another aspect of the invention combines this with flagging the session and/or triggering an alarm.

An aspect of the invention is suspending a session by a capture component, informing a policy server by the capture component that a new session to a particular service (service here meaning computer and/or application) is being requested (optionally with information about the requesting user) , waiting for the policy server to authorize the connection, and the capture component allowing the session to continue after receiving authorization from the policy server.

An aspect of the invention is receiving information from a capture component about a new session and the service being requested, determining that 4- eyes supervision is required for the session, waiting for a user different from the user requesting the new session to authorize the new session, and when such authorization is received, authorizing the capture component to allow the session to continue.

An aspect of the invention is receiving a connection for a new session by a capture component, receiving the identity of the user under whose authorization the session is to be performed, suspending the session, sending the user's identity to a policy serv^¬ er, waiting for authorization from the policy server, and in response for receiving such authorization, allowing the session to continue while being monitored. An aspect of the invention is receiving a connection for a new session from a client by a capture component, receiving the identity of the user un^¬ der whose authorization the session is to be per- formed, authenticating the user to the requested ser^¬ vice, and in addition to receiving notification of successful authentication from the service, the cap^¬ ture component requesting a second authentication from the client, and only notifying the client of success- ful authentication if also this second authentication is successful.

An aspect of the invention is the capture component obtaining information about a service to which a connection request is received from a directo- ry (e.g., an LDAP directory, Kerberos, or Microsoft Active Directory) , and determining whether the connection is to be permitted without obtaining connection to an audit or policy server based on the information obtained from the directory.

An aspect of the invention is a method for auditing SSL or TLS (e.g., HTTP/S and RDP) sessions comprising: providing a software module on a computer having the private key corresponding to a certificate used by the server for SSL authentication; performing a man-in-the-middle attack in a network de^¬ vice/computer through which packets belonging to the SSL session are routed, the man-in-the-middle attack including identifying which server the SSL session was originally destined to; identifying a server that has access to the private key corresponding to a certifi^¬ cate for the destination server; contacting said software module during the man-in-the-middle attack for performing a private key operation using a private key that said software module provides access to. In a variant aspect, the software module provides a copy of a private key to a module performing man-in-the-middle attacks, and the man-in-the-middle attack uses a pro- video! local copy of a private key to perform the man- in-the-middle attack.

An aspect of the invention is loading a soft^¬ ware module for auditing encrypted sessions onto a firewall using an administration interface. Another aspect is a firewall-installable software module stored on tangible computer-readable medium for re^¬ cording substantially all contents of an encrypted session in a form or with information that permits substantially all contents of the session to be later analyzed in decrypted form.

An aspect of the invention is adding of new analysis methods for encrypted connections without modifying capture components.

An aspect of the invention is obtaining the private host key for a computer and copying the host key to the audit server.

An aspect of the invention is receiving, by a private key server, a request to perform a crypto- graphic operation with information identifying the destination computer for the session that the request relates to, establishing a connection to the destina^¬ tion server, and causing the sending a request to the destination server to perform the private key opera- tion relating to the session, together with credentials that tell the destination server that the re^¬ quest is authorized by a private key server.

An aspect of the invention is causing the sending of a public key corresponding to a private key using which the capture component can have a crypto^¬ graphic operation performed to a client as the public key of a service the client can connect to.

An aspect of the invention is receiving key escrow data from a co-operative client or server by a capture component, and using the key escrow data to audit a session without decrypting it at the capture component by sending the key escrow data and the en^¬ crypted session to an audit server.

An aspect of the invention is receiving key escrow data from a co-operative client or server by a capture component, using the key escrow data to de^¬ crypt the session, and sending an original encrypted packet belonging to the session to the destination host without re-encrypting it.

An aspect of the invention is caching aspects of recently made policy decisions in the capture com^¬ ponent to speed up later policy decisions by the cap^¬ ture component .

An aspect of the invention is configuring the capture component with more than one audit server ad- dress, and in response to one of the configured audit servers not responding, connecting to another audit server. Correspondingly for private key servers and policy servers.

An aspect of the invention is deleting pass- words from audit data before storing audit data in its long-term storage format.

An aspect of the invention is performing OCR (Optical Character Recognition) for an RDP (Remote Desktop Protocol) session or other protocol session transmitting text in graphical format in a capture component and sending text resulting from the OCR to a centralized audit server. Another aspect includes us^¬ ing such text for policy decisions, such as Data Loss Prevention or alerts.

An aspect of the invention is performing OCR

(Optical Character Recognition) for an RDP (Remote Desktop Protocol) session or other protocol session transmitting text in graphical format in an audit server and indexing the resulting text for later lookups. Another aspect includes using such text for policy decisions, such as Data Loss Prevention or alerts . An aspect of the invention is storing different connections relating to an SSH session as separate audit log entries in an audit server and making them separately viewable in the audit server user inter- face .

An aspect of the invention is interpreting the contents of a port forwarding connection within an SSH protocol session as another encrypted session (e.g., SSH, RDP, or VNC session), and performing a man-in-the-middle attack on that other SSH session to decrypt its contents.

An aspect of the invention is interpreting the contents of a logical channel in an SSH protocol session as a file transfer channel and enforcing poli- cy about which files may be accessed on any file ac^¬ cess operations using that channel.

An aspect of the invention is a computer- readable memory system comprising an audit data file for a session wherein the session data is encrypted, and a different encryption key is used for encrypting passwords than other data.

An aspect of the invention is the capture component obtaining an encryption key for the audit server and encrypting audit data sent to the audit server using said keys.

An aspect of the invention is the capture component sending more than 50% of audit data to the audit server encrypted using the same encryption keys used for the session on either side of the capture component without encrypting that data using other keys for transmission to the audit server.

An aspect of the invention is sharing a single connection to an audit server for multiple ses^¬ sions, comprising sending a notification about a new session to the audit server, and including with audit data packets an identifier for the session that it be- longs to, and sending a notification to the audit server when a session is terminated.

An aspect of the invention is extracting the name of a transmitted file by the capture component or the audit server and saving in a session recording only the name of the accessed file even though the en^¬ tire contents of the file were transmitted. In another embodiment, a cryptographic hash value of the file contents is stored in addition to the name.

An aspect of the invention is detecting when more than one capture component has access to the same session and causing it to be audited and/or stored only once.

A further aspect of the invention is the au- dit server computing a cryptographic hash value of the contents of a file or web page transferred using a connection, checking if a file with that hash value has already been transferred, and if so, saving only a reference to the previously stored file (e.g., its hash value) in the audit log instead of the full con^¬ tents of the file.

This summary is provided to introduce a se^¬ lection of concepts in a simplified form that are fur^¬ ther described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended that this Summary be used to limit the scope of the claimed subject matter. Furthermore, the claimed subject matter is not limited to implementa- tions that solve any or all disadvantages noted in any part of this disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a further understanding of the invention and constitute a part of this specification, illus^¬ trate embodiments of the invention and together with the description help to explain the principles of the invention. In the drawings:

Figure 1 illustrates a firewall proxy embodi^¬ ment of a capture component for intercepting, author- izing, controlling, and auditing access to applications/computers through the firewall. A capture compo^¬ nent may also be implemented, e.g., within an applica^¬ tion server (e.g., SSHD) , within a host-based fire^¬ wall, or in a virtual machine firewall between virtual machines on the same (or distinct) physical hardware (an example of such a virtual machine firewall would be the VMWare vShield product) .

Figure 2 illustrates a multi-site enterprise network with a firewall protecting access to each site (and frequently also providing VPN (Virtual Private Network) connections between sites) ;

Figure 3 illustrates a firewall embodiment of the invention in more detail;

Figure 4 illustrates the structure of an au- dit/policy server and/or a private key server in an embodiment (such servers may be separate servers or may be combined into one or more combined servers in various embodiments) ;

Figure 5 is a packet diagram that illustrates the packet flow in an embodiment implementing man-in- the-middle attack for the SSH protocol;

Figure 6 illustrates advantageous packet for^¬ mats in various embodiments of the invention;

Figure 7 illustrates a method for handling an SSH connection through a capture component in an embodiment and performing policy enforcement, auditing (session logging) , and data loss prevention (DLP) for it;

Figure 8 illustrates a method for connecting to the audit server and sending session audit data to it in an embodiment; and Figure 9 illustrates auditing an RDP or HTTP/S protocol connection in an embodiment without specific policy enforcement actions. DETAILED DESCRIPTION OF THE INVENTION

Reference will now be made in detail to the embodiments of the present invention, examples of which are illustrated in the accompanying drawings.

Figure 2 illustrates an embodiment in an en- terprise network with multiple sites. 201 illustrates a (client) computer connected to the Internet or an intranet 203 (which is preferably an IPv4 or IPv6 net^¬ work) . The computer means a computing device that comprises software for initiating a session with a server (typically using SSH (Secure Shell), RDP (Remote Desk^¬ top), VNC, or HTTP/S protocol, though other protocols could also be used) . 202 illustrates a (client) com^¬ puter that has a wireless connection to the network via a base station 218 (the wireless network could be, e.g., WLAN, GSM/EDGE/HSPA, 3G, 4G, or WiMAX network, including optical and near-field networks) .

The figure includes multiple sites for the enterprise. Each site has a firewall 204, 205, 206; the firewalls advantageously comprising a capture com- ponent (which may actually be in the firewall or near the firewall in the network, though capture components could also be placed elsewhere, such as in front of servers) . Behind each firewall is an intranet or LAN 207, 211, 213 for the site (though in some cases it could be nearly as large as the Internet and include multiple sites) . Connected to each intranet may be one or more servers 208, 212, 214 that accept audited ses^¬ sions (here, server encompasses both the notion of a (possibly virtual) computer and software for pro- cessing incoming connections) , such as an SSH protocol server sshd 219, 220, and 221. Connected to each in^¬ tranet may be one or more clients 209 (a computer with fixed LAN connection) , 210 (a computer with wireless connection through a base station 217) .

The enterprise network in this embodiment al^¬ so comprises an Active Directory Server 215 used for obtaining user information and an audit/policy/private key server 216 (in many organizations, there are mul^¬ tiple such servers, and virtual directories may be used for combining data from multiple Active Directory or LDAP servers and other sources) . In this embodiment all these functions are implemented using a single server; however, in other embodiments each could be implemented by one or more dedicated or virtual ma^¬ chines. Multiple machines may be used for the same function for scalability or high availability reasons (implementing scalability and high availability is well understood and documented in the art) . There could also be, e.g., one or more separate database server machines in some embodiments.

Figure 1 illustrates an embodiment of a cap- ture component in a firewall 100. Each firewall may contain one or more protocol proxies 101, such as an SSH proxy, RDP proxy, VNC proxy, FTP/S (FTP over SSL/TLS) proxy, or HTTP/S (HTTP over SSL/TLS) proxy. A proxy may also implement more than one protocol. Each proxy contains a man-in-the-middle component 104 for performing man-in-the-middle attack (or key escrow or other suitable method) for obtaining access to the plaintext of the session; a policy engine 105 for de^¬ ciding which users may connect to which services and/or which actions each user may perform with each service; and a full session logger 106 for sending substantially all (or at least 50%) of a session to an audit server, though in some embodiments sending may be more selective, such as only sending information about which files are accessed through the session, without actually sending file contents. The capture component communicates with an audit, analysis, viewing, and storage server 102 (though these various functions of the servers may ac^¬ tually be implemented by more than one machine) .

The capture component also communicates with an identity and authorization management infrastruc^¬ ture 103, such as Active Directory, LDAP, NIS, or a database containing user accounts and authorization information. There may be more than one such infra- structure or server.

Figure 3 illustrates a firewall 300 in more detail. Generally, it is well known in the art how to build firewalls, as evidenced by the many firewall products that have been marketed over the last 15 years, including some open source ones, such as pfSense. For example, Juniper offers a line of service modules for its firewalls that can be used for imple^¬ menting application proxies that intercept and modify data belonging to sessions. Thus, reducing the present invention to practice does not require building a firewall; one only needs to build an application proxy, and vendor's development kits frequently con^¬ tain sample source code that can be used as a basis for building a proxy. A firewall typically includes a management interface 301 that can be used, among other things, for loading and configuring application proxies (including defining firewall rules that direct certain protocols or TCP/IP ports to a particular proxy); one or more application proxies 302, some of which are provided by the firewall vendor and some of which may come from third parties and be installed on a firewall (e.g., using a Juniper service module on a Juniper firewall) ; stateful inspection hardware 311 (which may be implemented in software, or partly or fully in hardware, and which may also incorporate spe^¬ cial hardware for, e.g., deep inspection using regular expressions) ; and a fast path 312 which represents logic for handling traffic for data streams that have already been authorized by the stateful inspection logic and is typically (but not necessarily) imple^¬ mented in hardware.

A sample SSH proxy/plugin 303 is shown for capturing SSH connection. This is an example of a capture component. The capture component in this embodi^¬ ment comprises an SSH decryptor 304, which implements logic for decrypting SSH sessions (example code for implementing this can be found in the open source OpenSSH program, which is currently at version 5.9); SSH encryptor 305, which implements logic for encrypt^¬ ing SSH sessions (example code for implementing this can also be found in OpenSSH) ; man-in-the-middle logic 306 for performing man-in-the-middle attack on SSH sessions (further described below) ; policy enforcer 307, which interprets policy (the policy can be advan^¬ tageously delivered to the capture component from an audit/policy server) ; user authentication and authori- zation component 308, which may check from, e.g., LDAP or Active Directory whether a user is authorized to connect to a particular service (though in some embod^¬ iments the authorization decision may be performed by the connected service, and in some embodiments dele- gated to an audit/policy server) ; and a DLP interface 309 for sending plaintext data from the session to a Data Loss Prevention server for determining whether the data can be transferred over the connection. Not all capture components need to contain all of these components (and will contain other components not shown here, such as logic for sending audit data to an audit server) .

There may also be other protocol proxies, such as an RDP proxy/plugin 310 for the Remote Desktop Protocol. Details of proxies for different protocols depend on the protocol, but generally would include decryptor, encryptor, and man-in-the-middle logic com- ponents for encrypted protocols, the policy enforcer component when policy decisions related to sessions for that protocol should be made, a user authentica^¬ tion/authorization component where the proxy controls which services a user may access, and a DLP interface if Data Loss Prevention is used (though DLP may also be implemented by sending the data to an audit server and having the audit server connect to a DLP system) .

Figure 4 illustrates a combined au- dit/policy/private key server 400 in an embodiment (its functionality may also be divided among multiple servers, and it may use, e.g., database servers and identity/authorization infrastructure servers). Such a server typically runs on a general purpose computer as an audit/policy server application 401, and the com^¬ puter also includes an operating system 420 (e.g., Microsoft Windows or Unix/Linux) , which typically pro^¬ vides logging services 421 such as syslog NG, crypto services 422, such as Microsoft Crypto API, and PKI services 423 (also often provided through Microsoft Crypto API or, e.g., the open source OpenSSL library), and hardware 430, which typically comprises one or more processors 431, one or more memory devices 432 (usually including both fast working memory such as DRAM, and non-volatile memory such as flash, magnetic disk, optical memory, or memristor arrays) , crypto ac^¬ celerator (s) 433 (such as the built-in AES accelerator in modern Intel processors or specialized cryptograph^¬ ic accelerator cards that are available from multiple vendors commercially) and secure key storage device (s) 434, which are often implemented using separate cryptographic accelerator cards when used. The hardware would typically also include one or more network in^¬ terfaces, various buses and interfaces between proces- sors and memory and I/O (such as PCI or USB) . The com^¬ puter may also access memory over networks or buses using suitable protocols, such as SCSI, iSCSI, CFS, or NFS. In general, any computer-readable memory may be used with the various aspects of the invention, re^¬ gardless of the protocol or interface technology used for accessing it, except for transitory signals.

Within the audit/policy server application

401, there are typically many components. SSL/TLS pro^¬ tocol 402 may be used for the connection from capture components to the audit server (though any other suit^¬ able cryptographic protocol could also be used, in- eluding SSH and IPSec) . An authentication and authorization component 403 is used for authenticating users who use the audit server GUI (e.g., a web interface) to view audited sessions. It may also be used for au^¬ thorizing individual sessions through capture compo- nents if the capture components have been configured to defer authorization decisions to the policy server. The audit log encryptor 404 is used for encrypting audit logs on the audit server, in order to make it more difficult to accidentally leak or compromise audit da- ta. The audit log archiver 405 is used for recording audit logs on the audit server and for archiving ses^¬ sion audit logs to archival storage after a while (e.g., after 30 days) . It may, e.g., store the audit logs on a separate file server in encrypted form. It is also responsible for deleting audit logs after they are old enough, assuming they have not been marked for retention. The audit data analyzer 406 comprises an indexing system and a string/regexp matcher (and/or other pattern matcher (s) ) for detecting commands or other strings that may indicate suspicious activity (constraints configured for detecting such commands may involve, besides string matching, the user performing it, the related computers, applications exe^¬ cuted, the script/command invoking the encrypted con- nection establishment, time, etc) . It may also perform OCR (Optical Character Recognition) on audit data for RDP or other graphical protocols to allow string matching against displayed data. It may also index au^¬ dit data for later searching (such index could be plaintext or encrypted; passwords would preferably not be included in an index for security reasons) . Config- urator for SSH/RDP/VNC 407 represents a component for managing client and server configurations for various protocols. Such management may include management of host keys for SSH, server certificates for RDP, etc. It may also include enabling key escrow functionality on servers and/or clients to enable faster capture. It may also cause a capture component embedded within, e.g., SSH servers to perform auditing for selected sessions .

The session viewer 408 represents a user in- terface for viewing audited sessions. It may be imple^¬ mented, e.g., as a Java application downloaded from the management interface, as a graphical application (e.g., for Windows) that communicates with the manage^¬ ment server using a suitable protocol (e.g., HTTP/S) to obtain an audit log (e.g., recorded session) and permit viewing it, or a video viewing element in a web user interface (implemented using, e.g., flash videos or HTML5 videos generated from a session and viewable through the user interface) . The session viewer may permit searching session based on strings transferred, files accessed, hosts connected, time, etc. The ses^¬ sion viewer may also be used in implementing 4-eyes monitoring, where a second administrator must monitor the actions performed by another in real time, with the ability to disconnect the session if some action is deemed inappropriate. In some embodiments, the en^¬ tire user interface, including the session viewer, may be separated into one or more dedicated applica^¬ tions/servers (e.g., to limit the functionality per- formed on the performance-critical and security- critical audit servers) . The public/private key manager 409 handles private keys that the capture components use for per^¬ forming man-in-the-middle attacks transparently to us^¬ ers (it forms the core of what is elsewhere herein called the private key server) . It may hold one or more private keys (possibly storing them in the secure key storage 434) . Such keys could be host keys for hosts on which services that can be accessed run. Al^¬ ternatively, they could be private keys for RDP or HTTP/S. It would also be possible to have one private key that is shared among multiple services. The keys may be generated by the public/private key manager and distributed to clients and capture components. Alter^¬ natively, they may be obtained from the hosts on which services run.

The public/private key manager may also act as a server for requests from capture components for performing private key operations. It may perform such private key operations itself (after verifying that the request comes from a valid capture component au^¬ thorized to perform such requests - this could be checked, e.g., by the capture component digitally signing the request using a key the audit server has generated for it, or using a shared secret to sign the request using a cryptographic hash function) , possibly using the crypto services 422 and/or crypto accelera^¬ tor 433. It may also forward the request to a host that has the private key for the destination host (typically the host running the service being connect- ed to) .

The key distributor and generator 410 takes care of generating key pairs and distributing them to hosts. In some embodiments, it may also generate host keys for managed SSH servers and send such host keys to both the servers and the clients (possibly through intermediaries) . The policy configurator 411 includes a user interface for configuring policies relating to which users can connect to which services (e.g., applica^¬ tions or computers) and what operations they can per- form using such services. In some embodiments, the policies may be based on memberships of users in Ac^¬ tive Directory groups, components of their distin^¬ guished names, etc. Computers and applications and groups relating to them may also be accessible from directories, and may be used in configuring the poli^¬ cy. Generally, it is known in the art how to implement such policies, as similar policy systems are used in many firewalls, intrusion detection systems, and, e.g., the known PowerBroker product (though for a somewhat different purpose) . Here, the policy also controls which actions within protocol sessions are permitted (e.g., which files the user may access or whether port forwarding is allowed) and whether the session is to be recorded (audited) , and if so, to what level of detail (e.g., all data, or just file names for transmitted files) . The policy may also take into account the location of the client, the capture component (s) through which it is transmitted, and the location of the server.

The policy distributor 412 distributes the policy, or some aspects of it, to the individual cap^¬ ture components (whether in firewalls, SSH servers, or otherwise) . The distributed policy may be the original policy in suitable encoding (e.g., ASCII file or ASN.l encoded binary file) . It may also be compiled into some kind of optimized filter code (which may be exe^¬ cutable or interpreted data structures) . The policy distributor preferably tracks which capture components have already successfully received their policy, and retries transmitting the policy when it receives a connection from the capture component, or tries to pe^¬ riodically push it to the capture component until sue- cessful or the capture component is removed from the system (e.g., by removing it through the administra^¬ tive user interface) .

The policy enforcer 413 enforces the policy with respect to a session. Such enforcement is in some embodiments done partially or fully by the capture component, but in some other embodiments the capture component may suspend the session and send a request to the policy server to make the policy decision. The policy server determines whether the operation in the session is to be allowed and delivers the result to the capture component .

The deployment facilitator 414 handles en^¬ rollment of new capture components and/or protocol servers (e.g., SSH servers) into the system. In one embodiment, each installed capture component is pro^¬ vided with a shared secret (e.g., through a user in^¬ terface in a firewall, SSHD configuration file, or by embedding it into the capture component binary when downloading it from the audit server or other suitable server) . When the capture component first connects to the audit server, it authenticates itself using the shared secret (equivalently, it could be supplied with a private key and a digital signature could be used) , and a new shared secret is negotiated (e.g., using the Diffie-Hellman protocol) or generated by the capture component or the audit server and delivered to the other party encrypted (e.g., encrypting it using the shared secret or a session key generated using, e.g., Diffie-Hellman) . Thereafter, the new shared secret is used for authenticating the capture component to the audit server and, e.g., authorizing requests to per^¬ form a private key operation.

The session state monitor 415 tracks which sessions are active through any of the capture compo^¬ nents connected to the auditing system (in some embod^¬ iments, it may only track audited sessions) . Advanta- geously, it also provides a user interface (e.g., web GUI) for displaying active connections and search^¬ ing/sorting connections by user, host, application, protocol, firewall, location, etc.

The high availability component 416 imple^¬ ments high availability for the audit server using any known method for implementing high availability. In one embodiment, the audit server itself is stateless, and a distributed database is used for storing all state about active connections. Capture components communicate with the audit server using UDP (or open a new TCP connection if the old one gets disconnected) . It is well known in the art of building web applica^¬ tions how to implement high availability using such stateless servers and a high-availability database (e.g., some versions of MySQL and Oracle support high availability) . However, the server could also be im^¬ plemented using stateful design, as is known in the art of designing network servers and web applications.

The iCAP sender or DLP (Data Loss Prevention) component 417 implements a Data Loss Prevention inter^¬ face. It may operate in Detective Control mode, which provides visibility to what has been transferred, or Preventive Control mode, which can actually prevent disallowed data from getting out. In Preventive Con^¬ trol mode, the system generally buffers received data and holds it for a while, sends the data for DLP anal^¬ ysis (possibly using the iCAP protocol) , and waits for the DLP subsystem to determine whether the data can be allowed to go through. The data is not actually sent to the other side of the control device until the DLP subsystem gives permission to do so. In Detective Control mode, data can be passed through immediately, but a copy of it is sent to the DLP subsystem for analy- sis. This allows higher performance and lower delays, but can only detect breaches after they have already occurred. The iCAP protocol is described in RFC 3507, which is hereby incorporated herein by reference (it is freely available for download from www.ietf.org). Other suitable protocols may also be used.

Figure 5 illustrates packet flow across the capture component (FW/proxy 502) when a client 501 connects to a server 503 using the SSH protocol. First, the client opens a TCP connection to the server 504, which gets redirected by the firewall's applica^¬ tion gateway functionality to the application proxy 502. The proxy then opens a TCP connection 505 to the destination host/server 503 (typically using functionality/APIs provided by the firewall) . The server sends its version number 506 to the proxy, which forwards it to the client 507. Then, an SSH key exchange is per- formed between the client and the proxy 508, and an^¬ other key exchange is performed between the proxy and the server 509 (these exchanges may occur simultane^¬ ously, or connecting to the server may be delayed un^¬ til the key exchange between the client and the server has been completed and the client has authenticated to the proxy) . During the exchanges, the client typically thinks it is communicating with the server. After the key exchange, when the client sends a packet to the server 510, the proxy normally forwards it to the server 511, and vice versa 512, 513. However, the proxy may inspect the packets and perform policy deci^¬ sions on which operations are allowed. If it disallows an operation, it may, e.g., terminate the connections to the client and server, or synthesize a response to the request denying it (but otherwise allowing the connection to continue) .

If either the client or the server is co^¬ operating with the capture component, they may use key escrow to the capture component's key to disclose the session keys to the capture component, allowing the capture component (and/or the audit server) to decrypt the data without performing a man-in-the-middle at- tack. In one embodiment, using the SSH protocol, the capture component inserts a specially formatted "IGNORE" packet in the packet stream going in each direction before the first "KEXINIT" packet. The IGNORE packet includes a magic cookie that permits a co^¬ operating implementation to recognize it as indicating that a capture component is present between the client and the server. This also permits the client to dis^¬ play a notice about auditing to the user, if appropri- ate. The IGNORE packet also contains a signature by the capture component (by a key held by the capture component) with a certificate indicating it as a valid capture component signature in the organization, hash- signature using a shared secret held by the client and the audit server or capture component (or some element that they can ask to sign the message) . However, the signature is optional. Upon detecting such IGNORE mes^¬ sage (and, if a signature is present, upon validating the signature) , a co-operating client or server in- eludes an IGNORE message just before taking the new keys into use, the IGNORE message containing the ses^¬ sion keys (particularly the encryption keys, or at least an encryption key for one direction) or data from which the session keys can be derived for the session. The keys or related data should be encrypted before including it in the IGNORE message, such that only the capture component (or the audit server, or other suitable secure process) can decrypt the data. One possibility is for each enterprise to have a key escrow key pair, where the private key is held by the audit server and the public key is distributed to all clients as part of their configuration. The client then encrypts the session keys/data using the public key, sends them to the capture component in an IGNORE message that contains identification identifying it as a key escrow message and identifying the public key, the capture component forwards the key escrow message to the audit server, the audit server de^¬ crypts/computes the session keys, and if the capture component needs access to the keys (e.g., for making policy or authorization decisions) , the audit server sends the keys to the capture component over an en^¬ crypted channel that it has with the capture compo^¬ nent. The key escrow IGNORE message is re-sent during rekeying before taking the new keys into use.

Advantages of using this kind of co-operative key escrow over the known prior art include higher performance of the capture component (it will not need to do man-in-the-middle attack, eliminating the need to have access to the service's private key and elimi^¬ nating the need to re-encrypt the data with a differ- ent key to the destination host) , and when policy de^¬ cisions are delegated to the audit server, eliminating the need to decrypt the session in the capture compo^¬ nent entirely (the capture component could then for^¬ ward each packet to the audit server, and upon receiv- ing permission from the audit server to forward the packet, forward it to the host at the other end of the connection) .

Figure 6 illustrates various packet formats that may be used on the connection between the capture component and the audit server and/or in recorded ses^¬ sion logs on the audit server.

In one embodiment, a session recording (ses^¬ sion log data) 600 comprises session keys 601 (prefer^¬ ably encrypted by a key encrypting key securely held within the audit server, or encrypted by a public key the private key to which is only accessible to person^¬ nel authorized to read audit logs) and encrypted ses^¬ sion data 602 (which can be a simple recording of the entire session; however, with additional headers indi- eating the direction from which each packet or byte was received) . The session log packet 610 illustrates the layout of a packet in the session log in one embodi^¬ ment. The sequence number 611 indicates the sequence number of the packet in the stream (the sequence num- ber is used in the SSH protocol for authentica^¬ tion/encryption, but is only needed if not all packets are included in the session log - otherwise the se^¬ quence number is simply the packet's position in the stream for that direction) . The direction 612 indi- cates whether the packet was received from the client or from the server. The length 613 indicates the number of bytes in the packet. The data 614 is the origi^¬ nal packet (encrypted by the session keys) . The origi^¬ nal packet may or may not contain the message authen- tication code (including it may make non-repudiation possible, especially if a co-operating server or cli^¬ ent escrows the MAC keys using a separate public key for which the private key is only available to a lim^¬ ited number of people doing non-repudiation checks) .

The key escrow packet 620 illustrates a pos^¬ sible layout of an IGNORE message used for key escrow. The escrow packet identification 621 is a predetermined value used for identifying the packet as a key escrow packet. The escrow key id 622 identifies the public key that was used for encrypting the session key(s) . It might be a copy of the public key, or some other identifier (e.g., small integer) understood by the audit server. The key encrypted using escrow key 623 is the key encrypted using the public key (or a random key encrypted by the public key followed by da^¬ ta encrypted by the random key, if the key/data is too long to be encrypted by the public key directly) .

Figure 7 illustrates processing an incoming connection by the capture component in an embodiment. The processing begins when an incoming connection is received 700 (typically using the TCP/IP protocol) . A connection is then opened to the destination server 701 (though in another embodiment connecting to the destination server might be delayed until the user making the connection has been authenticated to the capture component) . An SSH key negotiation according to the SSH protocol is then negotiated with both sides

702 (the host initiating the connection and the intended destination host) . The intended destination host is usually identified by the destination IP ad^¬ dress (e.g., if the capture component runs as an ap- plication proxy in a firewall and captures connections as an intermediary), but could also be, e.g., precon- figured, passed as part of the user's name during user authentication (in this case, user authentication would be performed before connecting to the destina- tion host) , or in some other part of the exchange (e.g., as a message that is an extension to the cur^¬ rent SSH protocol as standardized by the IETF) .

After the above described steps, an SSH transport layer connection exists with both the initi- ating host and the destination host) , and packets can be exchanged between the hosts, encrypted by the SSH protocol in accordance with the protocol specifica^¬ tion. If end of session is detected 703, logging the session to a session log is finalized 704 (e.g., by sending a packet to the audit server indicating that the session has been closed) and processing for the incoming session is complete 705 and the session is now closed.

If more data is available for the session without encountering end of session, a packet is read from the connection (it may be received from either the initiating host or the destination host, and the source should preferably be recorded with the packet for later processing) and decrypted using the encryp- tion keys negotiated with the side that sent the pack^¬ et 706. Policy is then enforced on the packet 707 (e.g., checking whether the packet is a request to open a port forwarding connection, and if so, checking whether the request should be allowed according to the configured policy; if the request is to be denied, a response packet to that effect is constructed accord- ing to the SSH protocol and sent to the host that sent the request packet - or alternatively the session could be, e.g., disconnected, and/or the request could be logged and/or alerts triggered/generated using, e.g., SNMP traps, SMS text messages, and/or e-mail). If the packet is allowed, then execution continues from 708, and if session logging (recording) is enabled for the session, the packet is sent to the ses^¬ sion log 708 (e.g., by sending it to the audit server using a connection that exists with the audit server) . If the session is not logged, this step can be skipped. Then, the packet (or some content from it, possibly combined with content from other packets) is optionally sent to data loss prevention (DLP) analysis 709, e.g., using the iCAP protocol. The DLP system may respond by allowing the packet to pass through, or may deny sending the packet or, e.g., cause disconnecting the session.

The packet is then re-encrypted with the en^¬ cryption and message authentication keys for the other host 710 (initiating host if the packet was originally received from the destination host, and vice versa) .

Figure 8 illustrates how a capture component may send audit data about a session to an audit server in an embodiment. These actions would advantageously be performed in conjunction with processing an incoming session, though they could also be delayed, e.g., if the connection to the audit server cannot be made in real time when the session is opened or if log data is otherwise queued/buffered at a capture component. Establishing a connection to an audit server begins at 800; this would typically take place when an incoming connection is received from a client when the connec- tion has been authenticated, but could also be de^¬ layed. First, a connection is opened to the audit server 801, then encryption is negotiated with the audit server 802, using, e.g., the SSL, TLS, or SSH pro- tocol (the encryption used could equivalently for the purposes described here be hard-coded or preconfig- ured) . In the illustrated embodiment, these steps are performed once for each session, but it would also be possible for the capture component to perform these steps only once, and perform the remaining steps 803- 807 for each session, including an identifier for the session in the packets sent to the audit server where appropriate .

A session start record is sent to the audit server at 803. This record informs the audit server that a new session begins by sending them a session start record 803 and would typically identify the ini^¬ tiating and destination host IP addresses, and if user authentication has already been performed, the identi- ty of the user, and possibly things like the requested service (these pieces of information could equivalent^¬ ly be sent using separate packets when they are avail^¬ able) . The communication between the capture component and audit server is encrypted using the negotiated en- cryption protocol.

As long as there are more session packets 804, a packet belonging to the audited session or some parts thereof are wrapped into log packet headers 808 and sent to the audit server 809 using the negotiated encryption protocol. The sent packet could contain de^¬ crypted plaintext data of the received packet (see 706), or could be the original received encrypted packet, or could be the encrypted packet sent to the other side in 710 (if it is an encrypted packet, the encryption keys or data for deriving them should be sent to the audit server at 803 or at some other time; in some embodiments, the key-related data could also be sent to and stored at a completely separate server for added security) .

When no more packets are available for the session (end of the session has been reached) , a ses- sion end record is sent to the audit server 805 using the negotiated encrypted protocol, the connection to the audit server is closed 806, and auditing the ses^¬ sion is complete 807. (If multiple sessions are logged using the same connection to the audit server, then steps 806 and 807 would not normally be performed for every session.) The audit server could also be configured to automatically interpret a session as ending if connection to the capture connection is lost (TCP connection closed or time-outs) .

Figure 9 illustrates processing an incoming connection 900 at an audit server in an embodiment. The connection is received at 901, and encryption is negotiated between the audit server and the capture component 902, including authenticating the client (in this case, capture component) to the audit server (e.g., by having each capture component possess a pri^¬ vate key used to sign a suitable value as part of the negotiation, and using a corresponding public key at the audit server to verify the signature - examples of a similar operation can be found from, e.g., the SSH protocol) . If EOF is received 903 (end-of-file, or other indication that no more data will be forthcoming from the connection) , the connection is closed 904 (recording end of session for non-closed sessions be- ing audited through the connection in some embodi^¬ ments, though in some other embodiments logging such sessions could continue using another connection) and handling the connection is complete 905.

If a packet is received from the connection 906, it is decrypted according to the negotiated en^¬ cryption protocol, and the received packet is pro^¬ cessed. Generally, the packet is written to an audit log file 907, but other processing could also take place in addition to or in place of the write - for example, a session start record could trigger opening a new audit log file.

In one embodiment, an SSH, RDP, VNC, HTTP/S, or FTP/S session is captured by a plugin (application proxy) installed in a firewall. Many firewalls, in^¬ cluding many Juniper models, allow new application proxies to be written by third parties and uploaded into the firewall through its administrative interfac^¬ es. The application proxy implements the capture com^¬ ponent as a software module. The capture component is accompanied with configuration data, including the IP address of the audit server, information for authenti- eating the management server (e.g., shared secret, public key, certificate, or CA certificate of the man^¬ ager) , and policy configuration information received from the audit/policy server. In an embodiment, the capture component is also accompanied by the private key corresponding to one or more SSH host keys, or SSL host certificate, and possibly by a certificate and/or public key corresponding to the private key.

The firewall is configured to direct one or more protocols (e.g., by TCP/IP port number) to the application proxy. The firewall redirects packets des^¬ tined to a destination host to the application proxy, typically terminating the TCP/IP connection and connecting it to the proxy (even though the connection was destined to an IP address different from the fire- wall's address) . The firewall may also open a TCP/IP connection to the destination host, or may leave it to the application proxy to open a connection to the destination host. Typically, the firewall would manipu^¬ late source IP addresses for the connection to the destination host so that it looks to the destination host as if the connection came from the initiating host. However, the firewall may also use its own ad- dress for the connection. Advantageously, the firewall makes the original initiator and destination IP ad^¬ dresses and port numbers available to the application proxy .

The firewall may also act as a NAT device or

VPN gateway (using, e.g., the IPSec protocol - the IP- Sec protocol could also be used for securing any of the encrypted connections) . Audit data from the cap^¬ ture component is advantageously collected to an audit server that is not within the firewall; several fire^¬ walls (and other audit data sources) could audit to the same audit server. Many firewalls can operate in either bridged or routed mode.

Benefits of this embodiment over the prior art include the ability to handle pass-through traffic at the full speed supported by the firewall; the abil^¬ ity to install the capture component remotely without requiring an administrator to go and physically install it on the boxes (in this case, hardware appli- ances) ; improved reliability because no additional de^¬ vices will be required; ease of diagnosing problems because the person diagnosing the problem will only need to understand the firewall, not completely sepa^¬ rate boxes; the ability to record sessions from multi- pie firewalls into a single audit data server for storage and analysis; the ability to operate non- intrusively, without changing what SSH/RDP/etc. cli^¬ ents end users/administrators use. Known prior art so^¬ lutions require a special device or virtual machine to be added, through which all audited connections must be routed. No known prior art solution is able to col^¬ lect audit data (e.g., session recordings) from multi^¬ ple points into a single audit server. A single audit server is easier to secure, easier to back up and make fault-tolerant, and allows multiple entry points to an organization (firewalls) and internal access (via server auditing) to be consolidated into a single sys- tern for analysis, without requiring a security admin^¬ istrator to access potentially dozens of systems to find a particular session recording or check what sessions a particular user has had or who have accessed a particular service.

In one embodiment, the capture component is implemented as part of an SSH (Secure Shell protocol) server (e.g., as an integral component built into the server or as a plugin or dynamically loadable li- brary) . When a connection arrives at the server, encryption is negotiated with the end host according to the SSH protocol. When packets are being sent, they are passed to the capture component (essentially steps 706-709) before encrypting them, and received packets are decrypted, and then passed through the capture component (essentially steps 706-709) before passing them to the rest of the SSH protocol code.

Parts of the capture component could be inte^¬ grated into other parts of the SSH server, such as making policy decisions regarding port forwarding in the code that handles port forwarding packets. Audit^¬ ing of packets would most naturally be done between other packets and encryption/decryption as described above; however, it could also be done for the encrypt- ed packet if the encryption keys or data for deriving them are made accessible to the audit server. DLP functionality could advantageously be implemented as part of the code that handles file transfers and/or the SFTP protocol.

In one embodiment, the capture component is implemented as part of an SSH server, but is config^¬ ured to audit data transmitted through a channel in the SSH channel protocol. One advantageous use of this configuration would be for auditing a forwarded RDP connection. In one embodiment, the SSH server is configured to audit a session (using any protocol that can be audited) transmitted using a channel in another SSH protocol session. Thus, auditing an SSH session inside another SSH session (possibly nested many times) could still be audited.

Benefits of implementing the capture compo- nent in servers include the ability to audit sessions without installing any additional devices to the net^¬ work and without modifying firewalls. Adding applica^¬ tion proxies to firewalls may require authorization from a different group in an organization, which may sometimes be difficult to obtain from an organizational process standpoint and may thus be commercially im^¬ portant in enabling sale and deployment of product quicker. It also allows internal access which does not go through any firewalls to be audited, including ac- cess between virtual machines running on the same hardware in, e.g., a VMWare virtualization environment. No known prior art SSH auditing solution is able to perform the auditing directly in the server; however, some RDP servers have a feature for saving the contents of the session to a file. Even they are not known to be able to store such audit data centrally and/or in protected format on an audit server.

In one embodiment, the capture component is implemented as part of an SSH client. Generally, the implementation in a client is quite analogous to the implementation in a server. The benefits are similar to the server case.

In one embodiment, the capture component is implemented as part of a host-based firewall. The ben- efits are similar to implementing it in a physical firewall at a network boundary.

In one embodiment the SSH client and/or the SSH server escrows the session encryption key(s) to the capture component that is in the middle of the network. The benefits of this embodiment include al^¬ lowing auditing (session recording) to be performed without decrypting and re-encrypting the traffic (ba- sically, without doing a man-in-the-middle attack) . Benefits of this approach include higher performance of the capture component (eliminating encryp^¬ tion/decryption there if no policy enforcement is re- quired (potentially multiplying perfor^¬ mance/throughput) and eliminating re-encryption if policy enforcement is needed (potentially almost dou^¬ bling performance/throughput)).

In one embodiment, the man-in-the-middle at- tack is performed by terminating the SSH session initiated at the initiating host at the capture compo^¬ nent, and initializing an entirely new SSH session from the capture component to the destination host. In this embodiment, data transmitted in various channels is buffered at the capture component and re-packetized for transmission to the other side.

In one embodiment, the man-in-the-middle at^¬ tack is performed without fully terminating the SSH session at the capture component. Encryption is termi- nated at the capture component, but the same packets are re-encrypted for the other side (with a different key) . Channel windows of the SSH channel protocol are not terminated at the capture component, but instead are end-to-end through it. There is no per-channel buffering of the channel data and no re-packetizing of the data. Nevertheless, the capture component may re^¬ fuse to forward some packets/requests to the other side and may instead reject some requests and send back a packet to that effect (as specified in the SSH protocol). Some packets/requests may be rejected by silently deleting them from the stream. Yet other packets/requests may be rejected by terminating the session .

In one embodiment, the vast majority of pack- ets are transmitted through the capture component without reconstructing the packets. Reconstructing means that new SSH packet headers are constructed for the packets or that data is re-packetized. Just de^¬ crypting and re-encrypting the same packet is not considered reconstructing. In one embodiment, more than 50% of all packets in a session are handled in man-in- the-middle capture without reconstructing the packets.

The benefits of performing the man-in-the- middle attack without fully terminating the SSH ses^¬ sion at the capture component over the prior art in^¬ clude higher performance and lower memory requirements (because no buffer memory and processing is required) , which allows the same hardware to handle a much higher number of simultaneous connections and provide higher throughput (bits/second) .

In one embodiment, the capture component and the audit server reside on different hosts (physical or virtual hosts) . Known prior art solutions store recorded sessions on the same hosts on which the cap^¬ ture is performed. The benefits of sending the audit data to a separate server include separation of func- tions as required by various security standards and regulations; the ability to collect audit data from multiple points into a single server for analysis and storage; offloading compute-intensive functionality from the capture component (which may run in a fire- wall with limited or expensive computational re^¬ sources) to one or more general purpose computers where computing resources are cheaper and more easily expandable; such offloading also allows better throughput and more connections through a firewall; the separation also makes it more difficult for admin^¬ istrators to subvert the system since they generally will not have access to the audit server and recorded sessions (or even the machine that contains them) .

In one embodiment, the capture component sends substantially all data exchanged in a session to an audit server in decrypted form (however, the trans^¬ mission to the audit server uses an encrypting proto- col for that connection) . A benefit of this approach is that the audit server does not need to decrypt the session before analyzing it. In one embodiment, the audit server encrypts the received audit data using a special session recording encryption key, which is further encrypted by a key encrypting public key.

In one embodiment, an encoded policy is sent from an audit server or policy server to a capture component. The policy may be, e.g., an ASCII file or a binary blob (e.g., using ASN.l DER encoding) and may be digitally signed and/or encrypted. In one embodi^¬ ment, the encoded policy is used by a capture compo^¬ nent in deciding whether a session or an action in a session is authorized. The policy could be structured as an ordered set of policy rules, similar to a fire^¬ wall policy or IPSec security policy, specifying which hosts may connect. It may also contain more detailed policies, on per-host, per host-group, per- application, or default basis. Such detailed policies may describe, e.g., which port forwardings are permit^¬ ted, which files may be accessed and how, or which commands may be executed in an interactive shell. It is generally well known in the art how to implement evaluation of a packet or request against such policy rules.

In one embodiment, the encoded policy limits which files can be accessed using SFTP or FTP/S proto^¬ col. In one embodiment, the policy contains one or more file paths or regular expressions that specify which files and/or directories can be accessed, and whenever a file is opened or created, it is checked whether the policy allows the named file to be ac^¬ cessed in the specified manner. The file name given in the request may be combined with the name of the cur- rent working directory before making the check. No prior art is known for controlling, using a capture component, which files may be accessed in an SFTP or FTP/S session. The benefits of this embodiment over the prior art include the ability to control access to files at a firewall (or in a capture component in a server) even for encrypted sessions. This increases the security of access to files, can provide an extra protection layer against accidental user or configura^¬ tion errors, and allows improved control over which files each user can access.

In one embodiment, a capture component re- quests a private key from a private key server / audit server in response to receiving a connection that uses a private host key for which the capture component does not have the private key. In one embodiment the capture component sends a request to the private key server, the private key server looks the key up from a database or requests it from another server, and sends the key to the capture component. If the key is not available, an error notification is sent to the cap^¬ ture component .

In one embodiment, a man-in-the-middle attack is performed without having a private key for the des^¬ tination host (e.g., a private SSH host key or private key corresponding to an RDP certificate) at the cap^¬ ture component. In this embodiment, when the capture component needs to perform a man-in-the-middle attack for a session, it sends information relating to the session to a private key server / audit server, caus^¬ ing it to perform the private key operation on behalf of the capture component and send the results back to the capture component, and upon receiving the results of the cryptographic operation, performing the man-in- the-middle attack by the capture component. In one em^¬ bodiment, the private key server / audit server fur^¬ ther sends the relevant information and the request to another host or application that has access to the relevant private key causing it to perform the crypto^¬ graphic operation using the private key, sending the results to the private key server / audit server, which further sends them to the capture component (the server could also send the result directly to the cap^¬ ture component, and the audit server could direct the capture component to contact the appropriate server for performing a cryptographic operation using a particular private key) . The benefits of performing the man-in-the-middle attack without direct access to the private key include easier compliance with industry security standards such as PCI, some of which require that a private key may only be stored in one location; this unexpected benefit is not provided by any of the known prior art solutions.

In one embodiment, when a capture component requests a private key or to perform a cryptographic operation using a private key, the capture component signs the request using a private key enrolled for the capture component when it was connected to the private key server and for which the audit server has the cor- responding public key or certificate, and the audit server validates that the private key request comes from a valid capture component by validating the sig^¬ nature. A shared secret or hash-based signature could also be used. A request from the private key server to another server may be similarly signed by the private key server (or the original signature may be forward^¬ ed) .

In one embodiment, the capture component sends data collected from one or more plaintext pack- ets (decrypted packets or packets that have not yet been encrypted if capturing outgoing packets in SSH client or server) , and sends it to a Data Loss Preven^¬ tion (DLP) system using the iCAP protocol. In one embodiment, the capture component waits for a response from the DLP system before allowing the data to be forwarded to the other side of the capture component. In one embodiment, the request to transmit the data is rejected by synthesizing an error message in accord^¬ ance with the protocol used for the session back to the requestor. In one embodiment, the session is terminated in response to a DLP system indicating that the data must not be transmitted. In one embodiment, a limited amount of data can be transmitted before wait^¬ ing for a response to a DLP system. An advantage of sending data to the DLP system using the iCAP protocol over the prior art is that it permits the DLP system to reside in a remote location, and permits any iCAP- compliant DLP system to be used. An unexpected benefit of using iCAP from the capture component for DLP is that it permits preventive DLP, i.e., the capture com^¬ ponent can wait until it receives permission from a DLP system before forwarding the data.

In one embodiment, the capture component waits until it has received an entire file being transmitted, then sends it to a DLP system using the iCAP protocol, and in response to receiving a permis- sion from a DLP system sends the file to the destina^¬ tion. In one embodiment, the session is suspended, then the iCAP request is sent, and upon receiving the response, the session is resumed (if action permit^¬ ted) , or a rejection response is sent, or the session is terminated based on the configured policy and the details of the response from the DLP system. In one embodiment, a cryptographic hash function of the file is computed before sending the file to a DLP system, and the hash function is used as a key to a cache data structure or database of files previously inspected using a DLP system, to avoid unnecessary re-inspection of a file that is transmitted multiple times across the capture component (possibly to a different desti^¬ nation) . A benefit over the prior art is that preven- tive DLP can be supported for entire file transfers. Equivalently, a different protocol for sending data to a DLP system and receiving an accept/deny type re- sponse (possibly with more nuances and/or additional information) could be used.

In one embodiment, the data is sent to an an^¬ ti-virus system or malware checker instead of a DLP system, and the request to transfer the file is re^¬ jected if it contains malware or a virus. None of the known prior art solutions are able to prevent malware or a virus from being transferred, as they do not sup^¬ port suspending the session for the duration of the check and responding based on the results of the check. Caching could be used similarly as with DLP.

In one embodiment, the audit server sends da^¬ ta extracted from audit data packets received from a capture component to a Data Loss Prevention system, and if the data loss prevention system informs the au^¬ dit server that the action is not allowed, the audit server informs the capture component that the action is not allowed. In one embodiment, this causes the capture component to terminate the connection. In an- other embodiment, the capture component suspends the session after sending audit data to the server until it receives a reply from the audit server, and depend^¬ ing on the type of the reply, resumes the session (by forwarding the packet to the other side with the prop- er encryption), terminates the session, or rejects the request. The benefits of doing DLP from the audit server in this manner include lower DLP system licensing costs (because only one host or a low number of audit server hosts will connect to the DLP server) and the ability to work around internal firewalls which might not permit all capture components to connect to the DLP system (particularly when some capture components reside in SSH servers in specially secured loca^¬ tions) , improving the robustness of the solution and reducing customer support requests and costs.

In one embodiment, when policy, DLP, anti^¬ virus, or malware prevention system rejects a request, an alert is triggered. Such alert may be triggered by, e.g., sending an SNMP trap to a network management system, ticketing system, or some other enterprise management system, by sending an SMS text message, by sending an e-mail, and/or in any other suitable manner known in the art. The session may also be flagged in the audit server as warranting special inspection and/or investigation. The flagging functionality provides the benefit of bringing suspicious sessions into the attention of the security administration, allowing suspicious behavior to be detected early, often before concrete damage is done.

In one embodiment, when a policy decision needs to be made on a packet in step 707, the capture component suspends the session (or the channel to which the packet relates) , sends information about the packet to the policy server so that the policy server can make a policy decision about the session, and upon receiving a response from the policy server, resumes the session, rejects the request, or terminates the session .

In one embodiment, the session is suspended by a capture component after user authentication, and a request to authorize the session is sent to the au- dit/policy server. When the audit/policy server re^¬ sponds, the session is resumed or terminated depending on the response. The response may also include policy restrictions to be applied to the session. In one em^¬ bodiment, the audit server adds the session to ses- sions requiring 4-eyes authorization and keeps the session suspended until another properly authorized user connects to the audit/policy server (directly or indirectly using suitable software, such as a web browser) and authorizes the session to continue. In one embodiment, the audit server displays a copy or near-realtime video of the session to the second user, permitting the second user to monitor the actions per- formed in the session. In another embodiment, the text of the "terminal" part of an SSH session is displayed, with links to transferred files and port forwarding data. In one embodiment, the second user has a button available for triggering immediate termination of the session (with optional immediate closing down of any access to the first user) ; in one embodiment, pressing this button causes a termination request to be sent from the audit/policy server to the capture component, and upon receiving such termination request, the capture component terminates the session in question. The termination request may include an identifier of the session. An unexpected benefit of suspending a session by a capture component and sending the authorization request to the audit/policy server is that a single user interface can be used to authorize sessions re^¬ gardless of which firewall, SSH server, or other cap^¬ ture component captures the session. None of the known prior art provides this capability. In one embodiment, the connection to the destination host is not estab^¬ lished until the session has been authorized. In one embodiment, the audit/policy server checks that the user approving the connection is a different user from the user that was authenticated. In one embodiment, the authorization request is sent already before user authentication .

In one embodiment, the capture component adds a second (or additional) authentication method to au^¬ thentication ( s ) otherwise performed by a server. For example, when a client connects from an external net^¬ work through a capture component (e.g., in a fire^¬ wall) , the session is connected to the destination host, and after the capture component receives notifi^¬ cation of successful authentication, the capture com- ponent requests a second authentication from the cli^¬ ent, and only reports successful authentication to the client if this second authentication is successful. In one embodiment, the capture component receives the no^¬ tification of successful authentication from the destination host, synthesizes a response requesting the desired type of additional authentication from the client, and only upon receiving proper response from the client sends the notification of successful au^¬ thentication to the client. None of the known prior art does this. An unexpected benefit is that a second factor of authentication can be added by a capture component without a reconfiguration of a server. The second factor could be, for example, SMS-based authen^¬ tication or RSA SecurlD authentication, and requiring it might depend on, e.g., which capture component the connection goes through, the source IP address, and the time of the day.

In one embodiment, an auditing system performs a man-in-the-middle attack on a cryptographic protocol (e.g., SSH, SSL, or TLS, possibly used for tunneling another protocol such as RDP (Windows Remote Desktop) or HTTP (for HTTP/S) ) . While the auditing system is performing the man-in-the-middle attack and is required to use the private key of the original destination system of the protocol connection, it identifies the server to which the protocol session was targeted, identifies a computer that has access to the private key corresponding to a public key (advan^¬ tageously embedded in an X.509 certificate for the destination) used for authenticating the server (advantageously this computer is the same computer as the destination server) , and connects to that computer for performing a private key operation using the private key (the connection may be protected by a suitable cryptographic protocol, such as SSL, TLS, SSH, IPSec, or XMLSec) . It causes that computer to perform a cryp- tographic operation required for successfully perform^¬ ing the man-in-the-middle attack. A computer having access to a private key does not necessarily mean be- ing able to actually read the private key - it is enough for the computer to be able to perform the required operations using the private key; the key it^¬ self could be stored in, e.g., a hardware security module. In one embodiment, the access to the private key is facilitated by a software module (agent) in^¬ stalled on the destination computer. The software mod^¬ ule may be provided on a computer readable memory ac^¬ cessible to the computer, and may, e.g., run as a ser- vice on that computer and may advantageously be inte^¬ grated into an SSH server on that computer.

In an embodiment, of the invention captured sessions are sent to a centralized storage server, or vault. The sessions are analyzed on the vault against a set of filtering rules. New filtering rules, potentially including new executable program code for ana^¬ lyzing the sessions, may be added to the vault without necessarily modifying any of the computer components (or more generally, the hosts or virtual machines con- taining/implementing the capture components). The vault may also be extended in scope to cover multiple computers storing and/or analyzing sessions without modifying the capture components. This is an unex^¬ pected benefit provided by having session logs from capture components stored in a separate vault.

In one embodiment, the auditing system is used with a co-operating client and/or server. The protocol used between the client and the server may be the SSH protocol, but could also be, e.g., the SSL protocol. The auditing system has one or more crypto^¬ graphic keys (public-private key pairs or symmetric encryption keys) that it can use for key escrow between a co-operating client and/or server and an auditing system. During the connection, the client and/or server include (s) sufficient data in the proto^¬ col connection to enable the capture component to de^¬ crypt the session. In one embodiment, the data com- prises an identification of the escrow key used and enough information for decrypting the session provided the decryptor is in possession of the key used for the escrow. In one embodiment, the escrow key is a public- private key pair, with the public key accessible to the client and/or server, and the private key accessi^¬ ble to the auditing system (the capture component cap^¬ turing the connection between the client/server, and/or the audit server, and/or a separate computer capable of performing a decryption operation using the private key) . Using (access to) the private escrow key, the capture component decrypts the connection without performing a man-in-the-middle attack on the connection. In one advantageous variation, the capture component uses the escrow data to decrypt the session for inspection, but sends the original encrypted pack^¬ et through the capture component without re-encrypting it, reducing processing overhead. In one embodiment, the capture component does not even decrypt the ses- sion (and need not itself have access to the escrow data, though advantageously can recognize that the au^¬ dit server does have access to it and performs a full man-in-the-middle attack if it does not) , but just sends a copy of the session to the audit server (in- eluding the escrow data) . The audit server then decrypts the session based on its configured policy.

In one embodiment, the operation of the cap^¬ ture component depends on policy information provided by the audit/policy server. In one advantageous embod- iment, the capture component caches a policy decision, and reuses the previously made decision based on cached information when a compatible (e.g., the same) decision needs to be made in the future. In one embod^¬ iment, the data is flushed from the cache after a giv- en time period; in another embodiment, the data is flushed when the audit server notifies the capture component that the policy has changed. In one embodiment, a capture component is configured with more than one audit/policy/private key server IP address. The capture component attempts to connect to one of the configured audit server IP ad- dresses. In response to the connection attempt fail^¬ ing, the capture component tries to connect to another one of the configured audit server addresses, and re^¬ peatedly attempts connections to the configured ad^¬ dresses until a connection succeeds.

In one embodiment, a capture component or an audit server deletes user passwords from the audit da^¬ ta before storing the audit data in long-term storage (long-term storage meaning storage where the data will be kept for hours or days, typically non-volatile mag- netic disk with present technology) . In one embodi^¬ ment, the management system indexes the contents of a session, but the password (s) are not included in the index .

In one embodiment, the audit server causes OCR (Optical Character Recognition) to be performed for an RDP session (or other graphical session, such as Xll session or some other remote desktop protocol session) . In one embodiment, the OCR is performed es^¬ sentially immediately when the session data is cap- tured (essentially immediately here meaning approxi^¬ mately within one minute - in any case potentially be^¬ fore the session is terminated if the session is of long duration) . In one embodiment, the text resulting from OCR is subjected to indexing for later content- based searches and analysis. In one embodiment, the text is sent to a Data Loss Prevention system (e.g., using the iCAP protocol) . In another embodiment, the text is analyzed using one or more analysis algorithms (possibly based on configurable policy) , and an alert (e.g., SMS, e-mail, triggered action) is generated in response to an analysis result. In one embodiment, the capture component per^¬ forms a man-in-the-middle attack on a cryptographic protocol session embedded within another cryptographic protocol session. For example, the SSH protocol allows TCP/IP ports/connections to be forwarded within an en^¬ crypted tunnel, and other cryptographic sessions (e.g., SSH, SSL, TLS) can be embedded within forwarded connections. The capture component decrypts the outer cryptographic protocol using a man-in-the-middle at- tack, and by inspecting data inside the outer protocol determines that a connection is/may be tunneled. Upon detecting (or being configured to assume) that the em^¬ bedded connection contains a cryptographic protocol connection, it performs a man-in-the-middle attack on the inner connection. This process may be nested for an arbitrary number of layers. Instead of a man-in- the-middle attack the escrow method described above may alternatively be used for the outer and/or the in^¬ ner connection ( s ) .

In one embodiment, configured policy infor^¬ mation specifies that only some files can be trans^¬ ferred across a cryptographic connection (e.g., an SSH+SFTP connection or FTP/S (SSL+FTP) connection) . A capture component (and/or an audit server) decrypts the cryptographic protocol layer (s) and analyzes the file transfer protocol (e.g., SFTP or FTP) inside the cryptographic layer to determine which directories are being accessed and/or which files (or path names) are being transferred. It compares the directories and/or file/path names against the configured policy. Based on the configured policy and the match of the names against it, it determines the action to perform. For example, the policy may permit files in a certain di^¬ rectory to be read and all other operations to be de- nied. If the file path matches the permitted directo^¬ ry, the request is permitted and passed through the capture component (or regenerated for the other side) . If it does not match, the request is not passed through, but instead a failure response is generated and sent to the side originating the request. The pol^¬ icy may also specify that the connection should be disconnected (and potentially other actions taken, such as the access closed for the user account used for authenticating the connection) .

An aspect of the invention is auditing a connection only once even if it goes through more than one capture component. In one embodiment, the capture component sends to the audit server (or other suitable server) the source IP, source port, destination IP, and destination port of the connection. The audit server checks if it is already auditing a connection with the same IP addresses and port numbers. If so, it tells the second (and third, and so on) capture compo^¬ nent not to audit that connection. Otherwise it tells the capture component to audit it. In one embodiment, it still causes the capture component to audit the connection if more than a predetermined time has elapsed since the original connection was opened or if the new connection comes from the same capture compo^¬ nent that was previously auditing that connection. In one embodiment, it closes the previous auditing con- nection and audits the new connection as an extension to the previous connection (possibly auditing it in the same file or otherwise as part of the same session as the previous connection) .

In one embodiment, the contents of one or more transferred files are copied to and stored on an audit server. In one embodiment, the audit server has a database mapping cryptographic hashes of the con^¬ tents of files to locations of previously stored file contents. When a file is to be audited, a cryptograph- ic hash of the file contents is computed, a lookup is made to the database using the hash value, and only a reference to the file (e.g., the hash value) is stored in the audit log. In one embodiment, the capture com^¬ ponent computes the hash of the file, sends the hash (or information derived from it) to the audit server, the audit server performs a lookup from its database using the sent information, and responds to the cap^¬ ture component informing it whether it should send the full contents of the file to the audit server. In re^¬ sponse, the capture component either sends or does not send the full contents. In one embodiment, the data- base also contains information about whether the file has previously passed DLP (or anti-virus or other suitable checks) , and in response to the information indicating that the file is acceptable for DLP or oth^¬ er checks, the capture component skips performing DLP or other similar checks on the file again.

In one embodiment, an audit system co^¬ operates with a key management system for SSH host keys, SSL server keys/certificates, and/or another keys. When a private key operation needs to be per- formed, the audit system connects to the key manage^¬ ment system and causes the key management system (or a host managed by it) to perform a private key operation needed for performing a man-in-the-middle attack on a cryptographic session.

In one embodiment, when the user has been successfully authenticated but before confirming au^¬ thentication to the client, the capture component sends an authorization request to the audit server (or other suitable server) with an identification of the user and optionally data about where the user connects from, and/or details about the user's client (e.g., version number and vendor) .

Many variations of the above described embod^¬ iments will be available to one skilled in the art. In particular, some operations could be reordered, com^¬ bined, or interleaved, or executed in parallel, and many of the data structures could be implemented dif- ferently. When one element, step, or object is speci^¬ fied, in many cases several elements, steps, or ob^¬ jects could equivalently occur. Steps in flowcharts could be implemented, e.g., as state machine states, logic circuits, or optics in hardware components, as instructions, subprograms, or processes executed by a processor, or a combination of these and other techniques .

It is to be understood that the aspects and embodiments of the invention described in this speci^¬ fication may be used in any combination with each other. Several of the aspects and embodiments may be com^¬ bined together to form a further embodiment of the in^¬ vention, and not all features, elements, or character- istics of an embodiment necessarily appear in other embodiments. A method, an apparatus, or a computer program product which is an aspect of the invention may comprise any number of the embodiments or elements of the invention described in this specification. Sep- arate references to "an embodiment" or "one embodi^¬ ment" refer to particular embodiments or classes of embodiments (possibly different embodiments in each case) , not necessarily all possible embodiments of the invention. The subject matter described herein is pro- vided by way of illustration only and should not be construed as limiting.

In this specification, selecting has its ordinary meaning, with the extension that selecting from just one alternative means taking that alternative (i.e., the only possible choice), and selecting from no alternatives either returns a "no selection" indi^¬ cator (such as a NULL pointer) , triggers an error (e.g., a "throw" in Lisp or "exception" in Java), or returns a default value, as is appropriate in each em- bodiment .

A computer may be any general or special pur^¬ pose computer, workstation, server, laptop, handheld device, smartphone, wearable computer, embedded com^¬ puter, a system of computers (e.g., a computer clus^¬ ter, possibly comprising many racks of computing nodes) , distributed computer, computerized control system, processor, or other similar apparatus capable of performing data processing. A computing system is a computer or a group of connected computers, such as the computers within an enterprise, or elements there^¬ of.

Computer program code means computer executable or interpretable instructions for causing a com^¬ puter to perform various actions as determined (in part) by the computer program code. Computer program code may be, e.g., directly executable processor in- structions, byte code for execution by a byte code in^¬ terpreter or emulator, byte code that is compiled into machine-executable instructions (e.g., by a Java Just- On-Time compiler) , or source code that is interpreta^¬ ble and/or compilable as machine instructions for con- trolling a computer (e.g., Python or Tel code) .

A firewall is a computing device that moni^¬ tors and/or restricts communications between network segments or hosts. Firewalls are frequently installed at the boundaries of an organization's internal net- work (e.g., at Internet connection points). Sometimes firewalls are also used for dividing the internal net^¬ work into segments between which traffic is controlled (e.g., to protect critical servers or to establish a DMZ (Demilitarized Zone) for externally visible serv- ers) . A firewall may be a stand-alone device, may be integrated into another device (e.g., router or ADSL modem) , and may comprise multiple co-operating comput^¬ ers, possibly in a fault-tolerant configuration. A firewall may also be understood as the overall system of elements for establishing a security perimeter, including, e.g., a packet filter ("traditional fire^¬ wall"), anti-virus detection gateway, DLP (Data Loss Prevention) gateway, IPS (Intrusion Prevention System) or IDS (Intrusion Detection System), traffic recorder for recording data packets going across the firewall for, e.g., forensics purposes, auditing system (for recording access to some or all user accounts) , VPN (Virtual Private Network) gateway, etc. A firewall as a whole is usually a kind of computer and may comprise (more restricted) computers as components. Some fire^¬ walls are software components that are installed in a computer in addition to its other software (often called host-based firewalls) .

A plugin is a software module that can be in^¬ stalled into a larger software system (possibly embed^¬ ded in a hardware product) in order to extend or modi- fy the functionality of the larger software system, such as by adding support for an additional protocol or file format. Many software packages provide well- defined APIs and installation mechanisms for such software components.

Plaintext (also called cleartext) means the plain (unencrypted) version of some encrypted data, as opposed to ciphertext, the encrypted version. Usually the plaintext can be obtained from the ciphertext by decrypting the ciphertext using a cipher and a decryp- tion key. The exact relationship between the plaintext and ciphertext depends on the encryption method and protocol involved; sometimes it is more complex than just decryption. See, e.g., the SSH protocol specifi^¬ cation for examples. Access to the plaintext of an en- crypted connection may be provided, e.g., by storing the connection in decrypted (plaintext) format, stor^¬ ing the decryption key (and other related information, such as the cipher name) with the original encrypted data, or by decrypting the original encrypted session into plaintext, and then encrypting it using another key which is then stored in addition to the newly encrypted data (permitting access to the plaintext by decrypting the newly encrypted data using this key) . The decryption key might be stored directly or, e.g., encrypted by another key (such as encrypted using a public key, so that it can only be decrypted using a corresponding private key) . The encryption key could also be stored using a secret sharing scheme, such as the Shamir or Blakley methods. With secret sharing, access to the decryption key could be made to depend on having K of N secrets (e.g., requiring at least three people out of five to co-operate) .

Substantially all plaintext of a connection means access to one or more of: all plaintext of a connection; all plaintext except passwords and other security-sensitive data; substantially all plaintext of a connection in one direction. When a connection may also be used for transferring files or other attachments, substantially all plaintext does not neces^¬ sarily include such attachments.

Computer-readable media includes any non- transitory media that can be read by a computer, such as computer-readable magnetic data storage media (e.g., floppies, disk drives, tapes), computer- readable optical data storage media (e.g., disks, tapes, holograms, crystals, strips) , semiconductor memories (such as flash memory, memristor memory, and various ROM and RAM technologies) , media accessible through an I/O bus and/or interface in a computer, media accessible through a network interface in a com^¬ puter, and networked servers from which data can be read by another computer.

It is obvious to a person skilled in the art that with the advancement of technology, the basic idea of the invention may be implemented in various ways. The invention and its embodiments are thus not limited to the examples described above, instead they may vary within the scope of the claims.

Claims

1. A system for auditing privileged access to a computing system, c h a r a c t e r i z e d in compris^¬ ing :

- a capture component embedded within a net^¬ work device, configured to intercept an encrypted con^¬ nection going through the network device and send information relating to the encrypted connection to an audit server; and

- an audit server residing in a different physical device than the capture component, connected to the capture component via a data communications network, configured to record the information relating to the encrypted connection;

wherein the information recorded relating to the encrypted connection enables inspection of plaintext content of the encrypted connection.

2. A plugin software module stored on comput^¬ er-readable medium for causing a network device to process encrypted connections, c h a r a c t e r i z e d in comprising:

- computer program code for causing the network device to intercept an encrypted connection through the network device; and

- computer program code for causing the network device to send information relating to the encrypted connection to an audit server, the information providing the audit server access to substantially all plaintext of the connection.

3. A computer program product stored on a computer-readable medium, comprising:

- computer program code for causing a computer to act as a server for an SSH connection using the SSH protocol; and

- computer program code for causing information related to the SSH connection to be sent to an audit server, the information providing the audit server access to substantially all plaintext of the SSH connection.

4. A computer program product stored on a computer-readable medium, comprising:

- computer program code for causing a computer to act as a client for an SSH connection using the SSH protocol; and

computer program code for causing information related to the SSH connection to be sent to an audit server, the information providing the audit server access to substantially all plaintext of the SSH connection.

5. A system for auditing encrypted sessions, c h a r a c t e r i z e d in the system being configured to :

provide an interface in a policy server whereby a user can define a policy that configures which encrypted sessions are to be audited;

- cause an encoded policy to be generated for one or more capture components based on the user- defined policy;

- cause the generated encoded policy to be transmitted to the one or more capture components;

- intercept at least one encrypted session at at least one of the one or more capture components and causing information enabling inspection of plaintext content of the encrypted session to be sent to an au^¬ dit server; and

- analyze said information at the audit serv- er .

6. A private key server stored on a computer- readable medium, c h a r a c t e r i z e d in comprising:

- computer program code for receiving and authenticating a request from a capture component on a host over a data communications network to perform a private key operation using a private key identified in the request, wherein the host with the capture com- ponent is different from the host on which the private key server executes;

computer program code for performing the requested private key operation using the private key; and

- computer program code for sending the result of the private key operation to the requesting host .

7. The private key server of claim 6, wherein the computer program code for performing the requested private key operation using the private key comprises:

- computer program code for sending a request to perform the private key operation using the private key to a second private key server;

- computer program code for receiving a response from the second private key server; and

computer program code for sending a response to the host that sent the original request.

8. A computer, c h a r a c t e r i z e d in com- prising:

a cryptographic protocol component (402) configured to establish a secure connection with a capture component;

connected to the cryptographic protocol component, an audit log archiver (405) configured to cause audit logs received from the capture component to be recorded in computer readable memory accessible to the computer;

- connected to the audit log archiver (405) , an audit data analyzer (406) configured to cause de^¬ tection of commands that match configured constraint and identification of audit logs containing such commands; and

- connected to the audit log analyzer, a ses- sion viewer (408) configured to cause displaying a se^¬ lected session to a user.

9. The computer of claim 8, wherein the cryptographic protocol component is configured to estab^¬ lish secure connections with more than one capture component simultaneously.

10. A method of reducing memory consumption of audit logs, c h a r a c t e r i z e d in comprising:

- computing a hash value of a file transmit^¬ ted across an encrypted session intercepted by a cap^¬ ture component;

- determining whether the contents of the file have previously been transmitted across an en^¬ crypted session, the determination including looking up the hash value from an index;

- in response to the file having been previ- ously transmitted, recording in an audit log con^¬ structed for the encrypted session a reference to the previously transmitted file without saving a copy of the transmitted file in the audit log.

11. A method, c h a r a c t e r i z e d in com- prising:

intercepting an encrypted connection going through a network device; and

sending information relating to the intercepted encrypted connection to an audit server for re- cording, said information enabling inspection of plaintext content of the intercepted encrypted connec^¬ tion.

12. The method of claim 11, wherein the encrypted connection uses the SSH (Secure Shell) proto- col.

13. The method of claim 11, wherein the encrypted connection uses the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol.

14. The method of claim 11, wherein the en- crypted connection uses the RDP (Remote Desktop) pro^¬ tocol .

15. The method of any of claims 11-14, where^¬ in the information comprises at least a portion of the plaintext of the encrypted connection.

16. The method of any of claims 11-15, where- in the information comprises a cryptographic key for decrypting the encrypted connection and the encrypted data of the connection.

17. The method of any of claims 11-16, where^¬ in the information comprises the encrypted data of the connection together with an encrypted cryptographic key that can be decrypted by an audit server to obtain a decryption key for the encrypted data of the connec^¬ tion.

18. The method of any of claims 11-17, fur- ther comprising performing a man-in-the-middle attack on the encrypted connection.

19. The method of claim 18, further compris^¬ ing using a copy of a private key received from an au^¬ dit server or a private key server in the man-in-the- middle attack.

20. The method of claim 18, further compris^¬ ing connecting to a server residing on another computer to perform a cryptographic operation using a private key used by the intended destination host of the connection.

21. The method of claim 18, further compris^¬ ing receiving a private key and X.509 certificate signed by a trusted certificate authority identifying the original destination computer of the encrypted connection, and using the private key and certificate to perform the man-in-the-middle attack on the connec^¬ tion.

22. The method of any of claims 11-21, fur^¬ ther comprising controlling which actions may be per- formed using the encrypted connection.

23. The method of any of claims 11-22, fur^¬ ther comprising controlling which files may be transferred .

24. The method of any of claims 11-23, fur- ther comprising controlling which TCP/IP ports may be forwarded .

25. The method of any of claims 11-24, fur^¬ ther comprising controlling which devices may be accessed .

26. The method of any of claims 11-25, where^¬ in said sending is performed using a protocol that utilizes encryption to protect the information.

27. An apparatus, c h a r a c t e r i z e d in comprising :

at least one processor; and

at least one memory including computer program code;

the at least one memory and the computer pro^¬ gram code configured to, with the at least one proces- sor, cause the apparatus at least to perform:

intercepting an encrypted connection going through a network device; and

sending information relating to the intercepted encrypted connection to an audit server for re- cording, said information enabling inspection of plaintext content of the intercepted encrypted connec^¬ tion.

28. The apparatus of claim 27, wherein the encrypted connection uses the SSH (Secure Shell) pro- tocol.

29. The apparatus of claim 27, wherein the encrypted connection uses the SSL (Secure Sockets Lay^¬ er) or TLS (Transport Layer Security) protocol.

30. The apparatus of claim 27, wherein the encrypted connection uses the RDP (Remote Desktop) protocol .

31. The apparatus of any of claims 27-30, wherein the information comprises at least a portion of the plaintext of the encrypted connection.

32. The apparatus of any of claims 27-31, wherein the information comprises a cryptographic key for decrypting the encrypted connection and the encrypted data of the connection.

33. The apparatus of any of claims 27-32, wherein the information comprises the encrypted data of the connection together with an encrypted cryptographic key that can be decrypted by an audit server to obtain a decryption key for the encrypted data of the connection.

34. The apparatus of any of claims 27-33, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per^¬ form:

performing a man-in-the-middle attack on the encrypted connection.

35. The apparatus of claim 34, wherein the at least one memory and the computer program code are further configured to, with the at least one proces^¬ sor, cause the apparatus at least to perform:

using a copy of a private key received from an audit server or a private key server in the man-in- the-middle attack.

36. The apparatus of claim 34, wherein the at least one memory and the computer program code are further configured to, with the at least one proces^¬ sor, cause the apparatus at least to perform:

connecting to a server residing on another computer to perform a cryptographic operation using a private key used by the intended destination host of the connection.

37. The apparatus of claim 34, wherein the at least one memory and the computer program code are further configured to, with the at least one proces^¬ sor, cause the apparatus at least to perform:

receiving a private key and X.509 certificate signed by a trusted certificate authority identifying the original destination computer of the encrypted connection, and using the private key and certificate to perform the man-in-the-middle attack on the connec^¬ tion.

38. The apparatus of any of claims 27-37, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per^¬ form:

controlling which actions may be performed using the encrypted connection.

39. The apparatus of any of claims 27-38, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per- form:

controlling which files may be transferred.

40. The apparatus of any of claims 27-39, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per^¬ form:

controlling which TCP/IP ports may be forwarded .

41. The apparatus of any of claims 27-40, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per^¬ form:

controlling which devices may be accessed.

42. The apparatus of any of claims 27-41, wherein the apparatus is configured to perform said sending by using a protocol that utilizes encryption to protect the information.

43. A method, c h a r a c t e r i z e d in com^¬ prising :

receiving information relating to an intercepted encrypted connection going through a network device; and

recording the information relating to the intercepted encrypted connection, said information ena- bling inspection of plaintext content of the inter^¬ cepted encrypted connection.

44. The method of claim 43, wherein the encrypted connection uses the SSH (Secure Shell) proto^¬ col .

45. The method of claim 43, wherein the en^¬ crypted connection uses the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol.

46. The method of claim 43, wherein the en^¬ crypted connection uses the RDP (Remote Desktop) pro- tocol.

47. The method of any of claims 43-46, where^¬ in the information comprises at least a portion of the plaintext of the encrypted connection.

48. The method of any of claims 43-47, where- in the information comprises a cryptographic key for decrypting the encrypted connection and the encrypted data of the connection.

49. The method of any of claims 43-48, where^¬ in the information comprises the encrypted data of the connection together with an encrypted cryptographic key that can be decrypted by an audit server to obtain a decryption key for the encrypted data of the connec^¬ tion.

50. The method of any of claims 43-49, fur- ther comprising providing a capture component with a copy of a private key for use in a man-in-the-middle cL11cLC k ·

51. The method of any of claims 43-50, fur^¬ ther comprising receiving said information from at least two capture components.

52. An apparatus, c h a r a c t e r i z e d in comprising:

at least one processor; and

at least one memory including computer program code;

the at least one memory and the computer pro- gram code configured to, with the at least one proces^¬ sor, cause the apparatus at least to perform:

receiving information relating to an intercepted encrypted connection going through a network device; and

recording the information relating to the intercepted encrypted connection, said information ena^¬ bling inspection of plaintext content of the inter^¬ cepted encrypted connection.

53. The apparatus of claim 52, wherein the encrypted connection uses the SSH (Secure Shell) pro^¬ tocol .

54. The apparatus of claim 52, wherein the encrypted connection uses the SSL (Secure Sockets Lay^¬ er) or TLS (Transport Layer Security) protocol.

55. The apparatus of claim 52, wherein the encrypted connection uses the RDP (Remote Desktop) protocol .

56. The apparatus of any of claims 52-55, wherein the information comprises at least a portion of the plaintext of the encrypted connection.

57. The apparatus of any of claims 52-56, wherein the information comprises a cryptographic key for decrypting the encrypted connection and the encrypted data of the connection.

58. The apparatus of any of claims 52-57, wherein the information comprises the encrypted data of the connection together with an encrypted crypto- graphic key that can be decrypted by an audit server to obtain a decryption key for the encrypted data of the connection.

59. The apparatus of any of claims 52-58, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per^¬ form:

providing a capture component with a copy of a private key for use in a man-in-the-middle attack.

60. The apparatus of any of claims 52-59, wherein the at least one memory and the computer pro^¬ gram code are further configured to, with the at least one processor, cause the apparatus at least to per^¬ form:

receiving said information from at least two capture components.